[Awesome Security] DST Root CA X3 Expiration and use ISRG Root X1 - Let’s Encrypt SSL certificate
DST Root CA X3 Expiration and use ISRG Root X1
Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and we’re now using our own ISRG Root X1 for trust on almost all devices. For more details about the plan, keep reading! We have also updated our Production Chain Changes thread on our community forum - our team and community are here and ready to help with any questions you may have about this expiration.
On September 30 2021, there will be a small change in how older browsers and devices trust Let’s Encrypt certificates. If you run a typical website, you won’t notice a difference - the vast majority of your visitors will still accept your Let’s Encrypt certificate. If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change.
Test the DST Root CA X3 cross-sign
1 | DST Root CA X3 cross-sign has expired |
Solution
CentOS
1 | yum install -y ca-certificates |
Debian, Ubuntu
Fix forDebian, Ubuntu by commenting DST_Root_CA_X3.crt from /etc/ca-certificates.conf
Install ca-certificates package
1 | sudo apt install -y ca-certificates |
Comment /mozilla/DST_Root_CA_X3.crt from /etc/ca-certificates.conf
1 | sudo sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf |
Update ca-certificates with update-ca-certificates
1 | sudo update-ca-certificates |
Test
Test the ISRG Root X1 Certificate.
1 | ISRG Root X1 |